ODPA publish latest personal data breach statistics

Published: 20 September 2022

The Office of the Data Protection Authority (ODPA) has published its latest breach statistics with 18 personal data breaches reported during July and August 2022. 

This is lower than in previous months following a trend seen in previous years for numbers to be lower than usual across the summer months. There were 22 underlying causes for the 18 breaches with some reports including more than a single cause. 

Despite the number of incidents reported being low, the number of people affected was high this period due to a single reported incident that led to the accidental destruction of a large number of records containing people’s names, dates of birth, and medical information. 

The Bailiwick’s Data Protection Commissioner Emma Martins explains why data breach reporting is so important: 

“We are committed to encouraging open, constructive conversations around data breaches to support prevention and learning. Our latest figures also usefully highlight that we sometimes need to look beyond the headline figures. It is not the number of incidents that is always the most significant factor, it is the number of people affected. We continue to be grateful to our regulated community for taking their responsibilities in respect of data breach reporting seriously. A mature and proactive process of breach reporting benefits all parties.” 

More information about how to handle a data breach can be found at:


Number of personal data breaches reported to the ODPA (Oct 2018 – present): view statistics for every two-month period from October 2018 - present.

More information about how to handle personal data breaches.  

This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it. 

Breach criteria
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

‘Significant interests’ explained
A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.